hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Remus Rusanu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-11321) copyToLocal cannot save a file to an SMB share unless the user has Full Control permissions.
Date Wed, 10 Dec 2014 09:55:12 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-11321?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14240866#comment-14240866
] 

Remus Rusanu commented on HADOOP-11321:
---------------------------------------

The WSCE file operations should only apply to container launch/localization. Even if all the
NM operations all succeed on a SMB share, when the impersonated container launched by WSCE
will fail to launch on a SMB share because it implies Kerberos delegation and the S4U token
used by the WSCE impersonation model does not support delegation.

> copyToLocal cannot save a file to an SMB share unless the user has Full Control permissions.
> --------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-11321
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11321
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: fs
>    Affects Versions: 2.6.0
>            Reporter: Chris Nauroth
>            Assignee: Chris Nauroth
>         Attachments: HADOOP-11321.003.patch, HADOOP-11321.004.patch, HADOOP-11321.1.patch,
HADOOP-11321.2.patch, winutils.tmp.patch
>
>
> In Hadoop 2, it is impossible to use {{copyToLocal}} to copy a file from HDFS to a destination
on an SMB share.  This is because in Hadoop 2, the {{copyToLocal}} maps to 2 underlying {{RawLocalFileSystem}}
operations: {{create}} and {{setPermission}}.  On an SMB share, the user may be authorized
for the {{create}} but denied for the {{setPermission}}.  Windows denies the {{WRITE_DAC}}
right required by {{setPermission}} unless the user has Full Control permissions.  Granting
Full Control isn't feasible for most deployments, because it's insecure.  This is a regression
from Hadoop 1, where {{copyToLocal}} only did a {{create}} and didn't do a separate {{setPermission}}.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message